Jeff Can't read your attached file. Can you post the configuration of the devices and a topology diagram as attachments as not all of use have PT and then we can have a look. Your description is also confusing ie. you have two routers R1/R2 on one subnet which doesn't make a lot of sense unless you mean you are running HSRP between the routers for the same subnet and then using a different subnet to connect to the L3 switch. Like I say, if you can post the configurations and also a quick diagram or PT layout we should be able to help. Jon
... View more

Alex As long as the copper ports are not oversubscribed then yes you should be fine. If they are oversubscribed though it could make a difference in terms of performance. As long as everything is working then I can't see an issue with what you have. Jon
... View more

Alex Things to consider - 1) distance between the switches is a key one and this may dictate what you can use eg. in buildings cable drops between the floors can often exceed the maximum distance of copper. 2) cost - copper is a lot cheaper 3) copper can be more susceptible to electromagnetic interference In addition the uplink ports on switches usually run at wirespeed where the standard ports may or may not. All that said if everything was equal then yes you could use copper ports to interconnect your switches. If you installed two connections one of the links would block on a per vlan basis, assuming you were running an STP variant of PVST. If you wanted them both to pass traffic then you can make an etherchannel which is a logical link containing a bundle of physical links. STP sees the etherchannel as one link so it can use both physical links. This does not necessarily give you 2Gbps though. It's to do with how the switch load balances traffic across the links and it's a bit complicated but a quick example - a client is sending 1.5Gbps to a server. Because the client's mac address/IP address and the servers mac address/IP address remain the same the switch will only use one of the links ie. it will not spread the traffic across both links. two clients are each sending 750Mbps to a server. Because the clients are different in terms of mac/IP then the switch could put each clients traffic on a different link as long as you were load balancing on source mac or IP address. Note that on some switches it is not just the mac address/IP address that can be used to select a link. I was just keeping the example relatively simple. Jon
... View more

Mark Just a quick follow up. Following on from point 2) your setup would mean asymmetric routing could happen ie, inbound and return traffic could via different backup POPs but doesn't necessarily mean that is a bad thing. One thing I didn't ask about was how are you handling the routing to the internet ? Are you receiving a default route at each POP from the ISP and are you advertising these to the other POPs ? Jon
... View more

Mark 1) Don't think this will work unless you either - a) use an IGP between your POPs ie. redistribute BGP into the IGP or b) more likely make POP2 a router reflector and then the other POPs are route reflector clients. The issue is a BGP router that learns routes via IBGP cannot then advertise these routes to another IBGP peer. 2) Only mentioned this because currently you are prepending the same number of AS entries from each backup POP. This means if the POP that is connected to the network fails then traffic could come in via either of the backup POPs ie. it would be load balanced to an extent. If you have stateful devices at these sites you could have connectivity issues. Other than that can't see anything else that would cause an issue. Any other questions let me know. Jon
... View more

Mark It's certainly possible and is a valid approach to doing it. Can you clarify a few points - 1) the IBGP peering between POP1 and POP3. It's not entirely clear from your diagram but is there just one peering and it goes via POP2 ? 2) do you have any stateful devices at each site that traffic needs to go through to get to the internal networks eg. a firewall ? Jon
... View more

Okay, it looks like PBR would work. If vlan 2 only talks to the open access gateway and from your diagram it looks like it does this on a separate interface than the one connected to vlan 5 from the gateway then using VRFs may also be an option (if your IOS supports it). This is assuming that return traffic follows the same path ie. via vlan 5 to the open access gateway and then to vlan 2. If it did then could place vlan 2 into it's own VRF which creates a separate routing table for vlan 2. This would mean vlan 2 could not access any other vlans on the switch because it has no visibility of any of the routes in the main (global) routing table. It also means you can then add a default route to the VRF routing table pointing to the open access gateway and because it is a separate routing table it does not conflict with your existing default route. Using VRFs is more secure because of the fact that vlan 2 has no visibility of any of the other vlans. Like I say though it would only work if - 1) vlan 2 is connected to gateway on a different interface which it looks like it is and 2) the path to and from the internet takes the same route. Up to you and hopefully haven't confused the issue but just wanted to offer it as an alternative. Jon
... View more

Rob How are you trying to bring the tunnel up ie. src IP and dst IP would be helpful together with which protocol/apps ie. are you pinging or trying to connect to an application etc. Also could you run some debugging. So if you are trying to bring up the tunnel from the remote site on the HQ ASA can you run - debug crypto isakmp and debug crypto ipsec and capture the output. Note debugging can put a strain on the ASA so if you can do this at a quiet time. Jon
... View more

There are a couple of alternatives - 1) if you have an IP subnet split between the sites you could run HSRP or even GLBP between your core switches which would mean each L3 switch had an interface in that subnet. So then you wouldn't need to add routes for these subnets because both L3 switches have interfaces in those subnets. You would still need routes for the subnets that only existed in site 1. It depends on how many subnets you are splitting between sites. 2) you could just add routes to site 2 L3 switch pointing to the L3 switch in site 1 although this would mean sending traffic from site 2 to site 1 and then back to site 2 again. Usually what you would have is separate subnets per site and then each L3 switch simply routes for it's own subnets and exchanges routes with the other L3 switch. Is there any reason you need the same subnet at both sites ? You may need to for servers but you may not. Edit - personally if you don't need the same subnet in each site I would have separate subnets per site and have each L3 switch responsible for it's own vlans/IP subnets in terms of routing and then run a dynamic routing protocol between the switches to exchange routes. Jon
... View more

That is because they are L2 switches so they will have their default gateway set to core switch 1. Because they are L2 switches they do not route so they act as a host would. ie. for any IP subnet they do not know about, which is every IP subnet other than the one they have an IP address from, they simply send traffic to their default gateway. The L3 switch can't do this because it is routing so if it needs to send a packet to a subnet that it does not have an interface configured in it must use it's routing table. And at the moment you only have a default route for it to use. So you need to add routes so it knows how to get to the internal subnets. Jon
... View more

Hi Kevin If PBR is not supported then VRFs won't be either. If all traffic for all the vlans goes through the same IPS and to the same firewall but you have different interfaces on the IPS and firewall for that specific vlan then just don't create a L3 interface for it on the 4500 ie. you simply extend the vlan to either the IPS or firewall. I say either because you extend it to next L3 hop. I suspect that might be the firewall but could you confirm. You then make the IP address on the firewall (or IPS) the default gateway for clients in that specific vlan. If I have misunderstood please clarify. Edit - I have assumed that you do not want this specific vlan to communicate with any of the other vlans on the 4500. Jon
... View more

I think this comes back to what we were discussing yesterday. You can ping when you use the default-gateway because that is pointing back to the core switch at site 1. But if the switch is L3 it will use it's default route which means it will send traffic for a remote subnet (ie. a subnet not configured on the switch) to the firewall. The solution is to add routes to the core switch in site 2 for the subnets in site 1 and it will all work. You can either use static routes or you can run a dynamic routing protocol between the two L3 switches to exchange routes. Jon
... View more

The book is right. From the question - If the next frame to reach the switch is a frame sent by PC3 You have assumed that PC2 has sent a response to PC1. And if it had done then you would be right and the answer would be B only. But the question makes no mention of a response from PC2. The question says PC1 sent a frame and then the very next frame came from PC3. The switch has not received a frame from PC2 so it doesn't know on which port the mac address for PC2 is. Jon
... View more

In terms of addressing I meant do you use public IPs assigned from the ISP or do you have your own provider independent public IPs ? A lot depends on the capability of the Juniper firewall but this is a Cisco site. If one ISP is for internet and the other for branch traffic then how are you going to failover ie. they don't do the same thing. Jon
... View more